Certmate is a new way to manage certificate for Cisco collaboration infrastructure. It enables generation of certificates with only some simple public DNS configuration.

Also these certificate are free!


Current Functionality

Automated Certificates for expressway

  1. Connect to and expressway, request CSR with additional SAN(s)
  2. Request TXT challenges from Lets Encrypt
  3. Verify Challenges are present in public DNS
  4. Submit CSR to Lets Encrypt
  5. Upload Certificate and trust tree to expressway

Manual Certificates with CSR upload


  • Certmate is a free tool that is not supported for production environments
  • Certmate will not provide automation of the certificate management process this will be provided by another Yarnlab product Encrypto after the beta is complete



  • Support additional collaboration infrastructure
    •  Cisco Unified Collaboration Manager (CUCM)
    • Cisco Unified Presence (CUP/IMP)
    • Cisco Unity Connection (UCXN)
    • Cisco Unified Contact Center Express (UCCX)
    • Cisco Meeting Server (CMS/Acano)
  • Add verification check after certificate push by making a connection (HTTPS/SIP/etc) to presented cert and trust tree
  • Additional client support
    • Mac 
  • Automatic client updates
  • Code signing (remove warning on windows)
  • Adding passphrase to LE account private keys for LE Authz (local PC security)

CertMate is currently in beta and is for lab and test systems only

Certmate is NOT to be used for production systems

When using the staging endpoint Certmate will not issue trusted certificates!

USE AT OWN RISK during beta



.... is best effort for Certmate. Please contact us if you require a solution to support production

  • Join the Certmate spark room (form below) and ask questions there
  • Issues can also be raised using feedback the tab on the right of the page or inside Certmate app (please make sure you include contact details and as much info as possible)



Sign up for updates and be added to the Certmate spark room

Note you will have to confirm via email

Name *

Instructions and Details

Automated Services

  • Expressway 8.8 or higher
  • VCS 8.8 or higher (untested )

Certmate reqirements

  • Internet access and HTTPS and SSH connectivity to services (expressway)


  • Hostname and domain defined 
  • Cluster FQDN defined
  • DNS configuration 
  • NTP configuration


Accounts are where you manage your identity information and can point to either the Lets Encrypt staging or production endpoints, it is a method of separating different environments or customers

Here you will

  1. enter your name for the account
  2. enter your email address (must be real) and is used for expiration warnings
  3. Select endpoint (production) - https://acme-v01.api.letsencrypt.org the staging endpoint does not issue trusted certificates
  4. Click register account
  5. Check that you registration is populated
  6. Accept Lets encrypt terms

Staging is used for testing and does not have rate limits and issues a certificate that is not trusted “Fake LE Root X1” 

Lets Encrypt limits

  • Certificates are issues for 90 days - for info why
  • Certificates per Registered Domain (20 per week)
  • Duplicate Certificate limit of 5 certificates per week
  • limit of 100 Names per Certificate
  • Duplicate Certificate limit of 5 certificates per week
  • Failed Validation limit of 5 failures per account, per hostname, per hour
  • maximum of 300 Pending Authorizations on your account
  • 500 Accounts per IP Address per 3 hours

There is a Renewal Exemption to the Certificates already registered


Service / Certs

This is where you define your services (expressway only currently)

This should be done before adding any names/authz as Certmate will discover the expressway

Here you will

  1. Add a new service
  2. Enter a friendly name, IP address or FQDN, username and password
  3. Press refresh cluster and hostname (note that the fix hostname and fixed cluster name are updated)
  4. At this point we can add a new certificate
    1. If you need to add additional FQDNs or SAN got to the Names / Authz section to add them before starting 
    2. enter certificate details and generate certificate
    3. Now go to Names / Auths as the fixed FQDN and fixed cluster FQDN will have been automatically added

Once the names have been authorized you can no go back to your certificate that is in the prepared state

  1. Click generate certificate - this will generate the server certificate with LE and download trust tree
  2. Click push certificate - this will push the certificate and trust tree to the expressway

Certmate relies on the expressway REST API which is only available from version 8.8

Note that all certificates issued by LE are published to the Google certificate transparency project


Names / Authz


This is where the list of names or FQDN(s) are added and LE auth challenges created tested and verified

Here you will

  1. Add any additional names that are required
  2.  You will now see a list of the challenges that are required to be created in public DNS
  3. Once the TXT records have been created click check DNS and to make sure the challenges match
  4. Once the DNS check matches click TXT created to authorize with LE
  5. Once completed the names status should show as valid


This SOFTWARE PRODUCT is provided by THE PROVIDER "as is" and "with all faults." THE PROVIDER makes no representations or warranties of any kind concerning the safety, suitability, lack of viruses, inaccuracies, typographical errors, or other harmful components of this SOFTWARE PRODUCT. There are inherent dangers in the use of any software, and you are solely responsible for determining whether this SOFTWARE PRODUCT is compatible with your equipment and other software installed on your equipment. You are also solely responsible for the protection of your equipment and backup of your data, and THE PROVIDER will not be liable for any damages you may suffer in connection with using, modifying, or distributing this SOFTWARE PRODUCT.

Conceptual Deployment Details

Note these are still in testing

certmate Single cluster.png

Multiple Domains Single CUCM - Work in progress 

Primary domain = lab.domain1.io
secondary domain = lab.domain2.oi
expressway fqdn expwe1.lab.domain1.io
Dual NIC expressway E

Internal DNS

This is required for Expressway-C can find the CUCM for UDS requests - make sure expressway C is pointing to internal DNS (TLS verify off)
SRV _cisco-uds._tcp.lab.domain1.io 10 10 8443 cucm105.lab.domain1.io
SRV _cisco-uds._tcp.lab.domain2.io 10 10 8443 cucm105.lab.domain1.io (could also use domain2)

External DNS

A expwe1.lab.domain1.io
PTR expwe1.lab.domain1.io (required for expressway >8.8)
Primary domain
SRV _collab-edge._tls.lab.domain1.io 10 10 8443 expwe1.lab.domain1.io
SRV _sips._tcp.lab.domain1.io 10 10 5061 expwe1.lab.domain1.io
SRV _sip._tcp.meet.domain1.io 10 10 6080 expwe1.lab.domain1.io - non default port
Secondary domain
SRV _collab-edge._tls.lab.domain2.io 10 10 8443 expwe1.lab.domain2.io
SRV _sips._tcp.lab.domain2.io 10 10 5061 expwe1.lab.domain2.io
SRV _sip._tcp.lab.domain2.io 10 10 6080 expwe1.domain2.io - non default port

Expressway C

HTTP allow rule - you may need this TBA
https    cucm105.lab.domain2.io    8443    Prefix    /cucm-uds/
Add both domain1 and domain2 to the same UC deployment

Certmate expressway-e

Names required to be generated by CertMate

  • expwe1.lab.domain1.io (expressway FQDN) - CertMate discovers via SSH
  • expwe.lab.domain1.io (expressway cluster FQDN)  - CertMate discovers via SSH
  • expwe1-int.lab.domain1.io Optional (internal interface FQDN for traversal - dual NIC) - Manually add Name to CertMate 
  • lab.domain1.io (SIP registration domain1) - Manually add Name to CertMate 
  • lab.domain2.io (SIP registration domain1) - Manually add Name to CertMate 

CollabEdgeDNS (option if you dont want to use roots)

  • collab-edge.lab.domain1.io
  • collab-edge.lab.domain2.io


Users can be defined in either various username formats eg testuser or testuser@lab.domain1.io or testuser@lab.domain2.io
Can login with in jabber


To login just enter service domain , username and password you can generate QR codes

For users in domain2 you will need to set the service domain to domain1 (WIP)


To login just enter username, domain and password


To login username and password - no voice service domain or custom config require


Multiple Domains Multiple CUCMs - coming soon

CMS integration

IMP and UCXN integration - coming soon

TLS end to end - coming soon

UCCX - coming soon


Release notes


Initial release

1.0.2 - 22/6/2017

Bug fixes

Removed restriction on expressway to have cluster name defined

Added manual  CSR upload service for use on CUCM and CMS or EXPW that are in secured networks